$Id: howto-ssh-with-rsa-keys-(passwordless-login).txt,v 1.2 2003/03/20 05:57:31 joko Exp $

$Log: howto-ssh-with-rsa-keys-(passwordless-login).txt,v $
Revision 1.2  2003/03/20 05:57:31  joko
updated

Revision 1.1.1.1  2002/02/11 01:22:17  cvsjoko
first checkin'



------------------------------------------------------------------------------
1. local machine (e.g.: your laptop) (want to login to remote one)

  THIS METHOD IS a) CLUMSY AND b) DANGEROUS!!!
  PLEASE USE METHOD 2. TO DO THIS!

  - check if you can login to the remote machine 
    via "normal" password authentication:
    - ssh <username>@<remote_machine>

  - create keys:
    - rsa-keys: ssh-keygen
    - dsa-keys: ssh-keygen -d

  - create authorized_keys:
    - cd ~/.ssh/
    - rsa-keys: cat identity.pub >> authorized_keys
    - dsa-keys: cat id_dsa.pub >> authorized_keys

  - take care of proper file-permissions
    - chmod -R og-rwx ~/.ssh

  - authorize remote machines / distribute "authorized_keys"
    - scp authorized_keys <username>@<remote_machine>:~/.ssh/
      this is dangerous!!! it will overwrite the "authorized_keys" file completely

  - test login to remote machine
    - ssh <remote_machine>

2. remote machine (e.g.: a backup server) (want to login to this one)

  which is machine is what?
    <worker>  the machine you are working on
    <remote>  the machine you want to log in
  
  which account is what?
    <service> is the account on <worker> (this one might execute some cronjobs)
    <joko_backup> is the account on <remote>

  [key generation] one-time preparations needed for <worker>:
    x useradd service
    x su service
    x ssh-keygen -d
  
  [key distribution] to be executed on <remote>:
    x useradd joko_backup
    x su joko_backup
    x ssh service@<worker> "cat ~/.ssh/id_dsa.pub" >> ~/.ssh/authorized_keys
      the (") with the first (remote) command are important!
      otherwise your *local* shell would expand the tilde (~)
      
  [key distribution] to be executed on <worker>:
    This is an alternative to above if the account on <remote> already exists,
    and it is somehow required not to execute commands 
    actively/manually at the <remote> side. Picture this: "the worker works".
    #> cat ~/.ssh/id_dsa.pub | ssh joko@netfrag.org "cat - >> ~/.ssh/authorized_keys"
    
    If the account at remote side doesn't exists,
    this shortcut might create it from the <worker> side as well:
      x ssh root@<remote> "useradd joko_backup"
  
  [login] test it on <worker>:
    x su service
    x ssh joko_backup@<remote-machine>

------------------------------------------------------------------------------

    
------------------------------------------
  annotiations
------------------------------------------
- transfer files via ZMODEM-protocol and TeraTerm
  - on remote machine
    - sz <file1> <file2> <fileX>
    - in TeraTerm, do 
       - File/Change Directory ...
       - File/Transfer/ZMODEM/Recieve